forbid insecure repositories by default expect in apt-get

With this commit all APT-based clients default to refusing to work with
unsigned or otherwise insufficently secured repositories. In terms of
apt and apt-get this changes nothing, but it effects all tools using
libapt like aptitude, synaptic or packagekit.

The exception remains apt-get for stretch for now as this might break
too many scripts/usecases too quickly.

The documentation is updated and extended to reflect how to opt out or
in on this behaviour change.

Closes: 808367

3 files changed, 50 insertions, 28 deletions

diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
index 20d761075..8fc6cc26d 100644
--- a/doc/apt-get.8.xml
+++ b/doc/apt-get.8.xml
@@ -563,8 +563,9 @@
 
      <varlistentry><term><option>--no-allow-insecure-repositories</option></term>
      <listitem><para>Forbid the update command to acquire unverifiable
-     data from configured sources. Apt will fail at the update command
-     for repositories without valid cryptographically signatures.
+     data from configured sources. APT will fail at the update command
+     for repositories without valid cryptographically signatures. See
+     also &apt-secure; for details on the concept and the implications.
 
      Configuration Item: <literal>Acquire::AllowInsecureRepositories</literal>.</para></listitem>
      </varlistentry>
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 1cf6539c6..2c1c192d4 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -13,7 +13,7 @@
    &apt-email;
    &apt-product;
    <!-- The last update date -->
-   <date>2015-10-15T00:00:00Z</date>
+   <date>2016-03-18T00:00:00Z</date>
  </refentryinfo>
 
  <refmeta>
@@ -48,22 +48,46 @@
    Starting with version 0.6, <command>APT</command> contains code that does
    signature checking of the Release file for all repositories. This ensures
    that data like packages in the archive can't be modified by people who
-   have no access to the Release file signing key.
+   have no access to the Release file signing key. Starting with version 1.1
+   <command>APT</command> requires repositories to provide recent authentication
+   information for unimpeded usage of the repository.
    </para>
 
    <para>
    If an archive has an unsigned Release file or no Release file at all
-   current APT versions will raise a warning in <command>update</command>
-   operations and front-ends like <command>apt-get</command> will require
-   explicit confirmation if an installation request includes a package from
-   such an unauthenticated archive.
+   current APT versions will refuse to download data from them by default
+   in <command>update</command> operations and even if forced to download
+   front-ends like &apt-get; will require explicit confirmation if an
+   installation request includes a package from such an unauthenticated
+   archive.
    </para>
 
    <para>
-   In the future APT will refuse to work with unauthenticated repositories by
-   default until support for them is removed entirely. Users have the option to
-   opt-in to this behavior already by setting the configuration option
-   <option>Acquire::AllowInsecureRepositories</option> to <literal>false</literal>.
+   As a temporary exception &apt-get; (not &apt;!) raises warnings only if it
+   encounters unauthenticated archives to give a slightly longer grace period
+   on this backward compatibility effecting change. This exception will be removed
+   in future releases and you can opt-out of this grace period by setting the
+   configuration option <option>Binary::apt-get::Acquire::AllowInsecureRepositories</option>
+   to <literal>false</literal> or <option>--no-allow-insecure-repositories</option>
+   on the command line.
+   </para>
+
+   <para>
+   You can force all APT clients to raise only warnings by setting the
+   configuration option <option>Acquire::AllowInsecureRepositories</option> to
+   <literal>true</literal>. Note that this option will eventually be removed.
+   Users also have the <option>Trusted</option> option available to disable
+   even the warnings, but be sure to understand the implications as detailed in
+   &sources-list;.
+   </para>
+
+   <para>
+   A repository which previously was authentication but would loose this state in
+   an <command>update</command> operation raises an error in all APT clients
+   irrespective of the option to allow or forbid usage of insecure repositories.
+   The error can be overcome by additionally setting
+   <option>Acquire::AllowDowngradeToInsecureRepositories</option>
+   to <literal>true</literal>.
    </para>
 
    <para>
diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index d71f99c0a..015401605 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -650,27 +650,24 @@ APT::Compressor::rev {
 
      <varlistentry><term><option>AllowInsecureRepositories</option></term>
 	 <listitem><para>
-           Allow the update operation to load data files from
-           a repository without a trusted signature. If enabled this
-           option no data files will be loaded and the update
-           operation fails with a error for this source. The default
-           is false for backward compatibility. This will be changed
-           in the future.
+	   Allow update operations to load data files from
+	   repositories without sufficient security information.
+	   The default value is "<literal>false</literal>".
+	   Concept and implications of this are detailed in &apt-secure;.
 	 </para></listitem>
      </varlistentry>
 
      <varlistentry><term><option>AllowDowngradeToInsecureRepositories</option></term>
 	 <listitem><para>
-           Allow that a repository that was previously gpg signed to become
-           unsigned durign a update operation. When there is no valid signature
-           of a previously trusted repository apt will refuse the update. This
-           option can be used to override this protection. You almost certainly
-           never want to enable this. The default is false.
-
-           Note that apt will still consider packages from this source
-           untrusted and warn about them if you try to install
-           them.
-         </para></listitem>
+	   Allow that a repository that was previously gpg signed to become
+	   unsigned during an update operation. When there is no valid signature
+	   for a previously trusted repository apt will refuse the update. This
+	   option can be used to override this protection. You almost certainly
+	   never want to enable this. The default is <literal>false</literal>.
+
+	   Note that apt will still consider packages from this source
+	   untrusted and warns about them if you try to install them.
+	 </para></listitem>
      </varlistentry>
 
      <varlistentry><term><option>Changelogs::URI</option> scope</term>